Mapping Illumio to the CIS Top 20
Over the last few weeks, we’ve observed an uptick in inquiries from companies who want to understand how Illumio helps them enable their Center for Internet Security (CIS) Security Controls initiative. CIS Top 20 Controls Guidelines are widely adopted and have been around for more than 10 years, with the latest version (7.1) released in April 2019, so we were intrigued by this trend. We spoke to these companies about their motivations and interest in Illumio and learned a great deal.
Most of these organizations have been using the CIS best practices guidelines for a while, but the rapid transition to remote work operating models combined with reported increases in cyberattacks are forcing them to re-evaluate their controls and tools. An April 2020 CSO survey found that 26% of respondents have seen an increase in the volume, severity, and/or scope of cyberattacks since mid-March. Some of these companies are continuing their transition to public clouds and increasing the virtualization footprint inside their data centers. They all want to do a better job of understanding gaps in their security controls and enabling technologies.
With this in mind, here is a high-level overview on how Illumio supports the CIS Top 20 Controls.
CIS Top 20 Critical Security Controls overview
Let’s begin with a quick primer on the CIS Top 20 Critical Security Controls. The Controls were initially created by the NSA red and blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations, and some of the nation's top forensics and incident response organizations.
The controls are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They reflect the combined knowledge of commercial and government forensic and incident response experts.
Implementing and operationalizing the CIS Top 20 Security Controls isn’t a “one-and-done” exercise. Technology, the threat landscape, and attack techniques are constantly evolving. The controls are updated, validated, and refined every year. They are not meant to replace a compliance program, and actually map to frameworks like NIST CSF and compliance standards like PCI-DSS and HIPAA. Many use CIS controls as the baseline for information security best practices, which they then augment to address corner cases and to meet highly specific and prescriptive requirements.
Mapping Illumio to the CIS Top 20 Controls
Here’s how Illumio’s capabilities help you directly meet or support a CIS control.
Basic controls
1. Inventory and Control of Hardware Assets. Illumio supports this control by enabling you to use the real-time application dependency map for identifying and validating the hardware server components that belong to an application group, and the servers and devices that are authorized to connect with the applications. Illumio supports API-based integration with 3rd party tools like NAC, asset discovery, ServiceNow CMDB and Service Mapping to validate inventory. The Illumio agent supports bare-metal, VM, public cloud instances, containers and collects telemetry information (IP addresses, ports, processes, protocols) to build the application dependency map.
2. Inventory and Control of Software Assets. Illumio supports this control by enabling you to use the application dependency map for identifying the applications and workload components that belong to the application group and the other software stack components that are authorized to connect, including multi-cloud, container to server connections, and connections with public cloud instances. The information on connectivity and flows enriches software inventory information that are managed by asset management, CMDB, and SCM tools. Illumio’s default-deny model logically segregates high-risk applications that are required for business operations. Agentless visibility – for scenarios where agents are not supported like AWS RDS, Azure Managed SQL, GCP flows, and Storage filers – is enabled by using the Flowlink feature.
3. Continuous Vulnerability Management. Illumio supports this control by integrating with vulnerability scanners and ingesting vulnerability information. It uses this information to visually display malware’s potential lateral attack pathways. The Vulnerability Exposure Score offers a business-centric calculation of risk. You can use this information to enhance your ability to prioritize its patching strategy and apply process-level segmentation for instances where patching is not operationally feasible.
4. Controlled Use of Administrative Privileges. Illumio supports this control by integrating with leading MFA solutions. Illumio can monitor and enforce policies to ensure dedicated workstations are isolated and least privilege is applied. In VDI environments, connections to workload applications are controlled based on the user’s Microsoft Group membership.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Illumio supports SCM tools by providing visibility into all traffic and quickly identifying ports/protocols used by workloads which application owners don’t expect, so they can quickly remediate.
6. Maintenance, Monitoring, and Analysis of Audit Logs.If a customer is using Illumio to segment its internal data center and cloud, user-to-application, and endpoint peer-to-peer connections, Illumio maintains a log of all the connections and traffic flows, events (allowed, blocked, potentially blocked traffic), and the history of related policies, rules, and events. Authorized operators can search the Illumio historical traffic database for operations, incident response and investigations, reporting and audit. Illumio integrates with leading SIEM tools like Splunk, IBM QRadar, and ArcSight to archive, search, and correlate massive sets of log and event data for reporting, investigations, and incident response.
Foundational controls
9. Limitation and Control of Network Ports, Protocols, and Services. Illumio directly meets this control. Illumio uses information about the application’s connections – detailed historical connections on connections and traffic flows including port, processes, and protocols – to initially recommend the applicable firewall rules. Illumio has a default-deny model so out of compliance connections can be blocked or potentially blocked.
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches. Illumio directly meets this control. Illumio maintains detailed historical and real-time information on the traffic and event logs to validate that network devices, specifically East-West firewalls, are doing what they should be and not allowing traffic that firewall policy should prohibit. Users can create an IP denylist to block communications with known malicious or unused Internet IP addresses. Users can program connections to limit workload to workload connections to specific ports, processes, and protocols. Illumio Core implements VEN tampering prevention. You can implement micro-segmentation with Illumio so that network admin machines can be isolated and have elevated access. You can implement finer-grained segmentation without re-architecting VLANs and subnets every time the business need changes.
12. Boundary Defense. Illumio directly meets this control. Illumio applies host-based segmentation to monitor and control connections and flows across applications and devices with different trust levels. You can achieve fine-grained segmentation without costly and risky re-architecture of its networking infrastructure.
13. Data Protection. Illumio supports this requirement by proactively preventing unauthorized workloads and users to connect to protected applications via default-deny model and by identifying and blocking the potential lateral attack pathways of malicious actors. Illumio detects for and blocks unauthorized connections that may attempt to transfer sensitive information and sends alerts to security. You can also use Illumio to program and enforce policies that control access and connections to cloud and email providers.
14. Controlled Access Based on the Need to Know. Illumio directly meets this control. Illumio can be used to control authorized connections across workloads, applications, VDI users and devices. Illumio Core can assist with managing access to an environment by both managing network access to a system as well as potentially managing logical access. External IP addresses can be specifically added to rulesets and applied to groups based upon users’ need to access these systems (users can be machines or individual operators). These rules can be enabled/disabled at a policy level to immediately and efficiently disable certain access to systems. In VDI environments, Adaptive User Segmentation can be utilized to permit access to certain resources based on Active Directory group policy.
15. Wireless Access Control. Illumio supports this control by programming and enforcing segmentation for wireless access on specific authorized devices and servers and restrict access to other wireless networks.
16. Account Monitoring and Control. Illumio supports this control by integrating with third-party SSO and access governance tools. You can also use Illumio’s on-demand encryption to ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
Organizational controls
18. Application Software Security. Illumio supports this control by applying micro-segmentation policies to separate production from non-production systems. Illumio also programs host-based firewall rules to ensure that developers do not have unmonitored and unfettered access to production systems.
19. Incident Response and Management. Illumio supports this control. Authorized users can pull reports from the Illumio historical traffic database, events, log data to support investigations and incident response workflows.
20. Penetration Tests and Red Team Exercises. Illumio supports this control. Organizations can use the information in the application dependency map, rulesets, and application groupings as a baseline for designing the scope of their pen tests.
To sum it up
Systemic events typically trigger an evaluation of existing security controls. Illumio helps companies implement a pragmatic approach to evaluating and enabling their CIS Top 20 controls implementation. Companies can do this by taking advantage of the following capabilities:
- Real-time application dependency mapping that helps to identify new connections and changes in connections to high-value systems that stem from changes in the operating model.
- Vulnerability Maps that calculate and visually illustrate the exploitability of a vulnerability. This helps prioritize controls and segmentation efforts around the riskiest assets and connections.
- Segmentation via a default-deny model that does not rely on re-architecting the networking architecture.
- API-based integration with third-party IT Ops, security and analytics tools that help you continuously monitor trends that introduce new risks to your company. These integrations also help you develop and implement plans to improve the efficacy of existing controls.
The CIS Top 20 Controls offers baseline security hygiene, but it also provides the framework for prioritizing the gaps and security controls that will have the highest impact on your organization.
If you’d like to learn more about Illumio’s capabilities, check out Illumio Core.